diff options
author | Martin Kosek <mkosek@redhat.com> | 2011-10-11 10:26:21 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2011-10-11 14:49:36 +0200 |
commit | 88e693a1a5b95e9da94b927a0b827b3a0e39b7b7 (patch) | |
tree | 9b1af3d90a50cc8157f1e05c0e7ac9ea19456d0c /ipalib/plugins/config.py | |
parent | 59c2e0fbd10f98a460f11e6bd024741845922562 (diff) | |
download | freeipa-88e693a1a5b95e9da94b927a0b827b3a0e39b7b7.tar.gz freeipa-88e693a1a5b95e9da94b927a0b827b3a0e39b7b7.tar.xz freeipa-88e693a1a5b95e9da94b927a0b827b3a0e39b7b7.zip |
Improve default user/group object class validation
When user/group default object class is being modified via
ipa config-mod, no validation check is run. Check at least
the following:
- all object classes are known to LDAP
- all default user/group attributes are allowed under the new
set of default object classes
https://fedorahosted.org/freeipa/ticket/1893
Diffstat (limited to 'ipalib/plugins/config.py')
-rw-r--r-- | ipalib/plugins/config.py | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 7ef626553..aa0c19d2d 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -24,6 +24,10 @@ from ipalib.plugins.baseldap import * from ipalib import _ from ipalib.errors import ValidationError +# 389-ds attributes that should be skipped in attribute checks +OPERATIONAL_ATTRIBUTES = ('nsaccountlock', 'member', 'memberof', + 'memberindirect', 'memberofindirect',) + __doc__ = _(""" Manage the IPA configuration @@ -212,6 +216,25 @@ class config_mod(LDAPUpdate): raise errors.ValidationError( name=k, error='attribute "%s" not allowed' % a ) + + for (attr, obj) in (('ipauserobjectclasses', 'user'), + ('ipagroupobjectclasses', 'group')): + if attr in entry_attrs: + objectclasses = list(set(entry_attrs[attr] \ + + self.api.Object[obj].possible_objectclasses)) + new_allowed_attrs = ldap.get_allowed_attributes(objectclasses, + raise_on_unknown=True) + checked_attrs = self.api.Object[obj].default_attributes + if self.api.Object[obj].uuid_attribute: + checked_attrs = checked_attrs + [self.api.Object[obj].uuid_attribute] + for obj_attr in checked_attrs: + if obj_attr in OPERATIONAL_ATTRIBUTES: + continue + if obj_attr not in new_allowed_attrs: + raise errors.ValidationError(name=attr, + error=_('%s default attribute %s would not be allowed!') \ + % (obj, obj_attr)) + return dn api.register(config_mod) |